It's described very well by this diagram. It seems like the process used is convoluted and more round-about than it needs to be. Why is an intermediate random key generated for the payload's encryption and then transmitted with the message after its own encryption using the recipient's public key, instead of just using the recipient's public key directly on the message? Isn't it the same, as far as security properties go?

3 Answers
3

RSA encrypts only messages with a limited size. With a 1024-bit RSA key, RSA (as per PKCS#1) can process only 117 bytes of data. To encrypt more than that, one would have to do some chaining, i.e. split the data to encrypt into several 117-byte blocks and encrypt them separately. This is routinely done for symmetric encryption (this is called "modes of operation") but it is not that easy to do securely, and nobody quite knows how to do a secure mode of operation for RSA.

Hybrid encryption allows for efficient multi-recipient data. You symmetrically encrypt the data with a key K, then you encrypt K with the RSA key of each recipient. When you send a 3 MB file to 10 people, you would prefer to compute and send an encrypted email of size 3.01 MB, rather than ten 3 MB emails...

RSA enlarges your data. With a 1024-bit RSA key, you encrypt at most a 117-byte chunk, but you get 128 bytes on output, so that's a 10% enlargement. On the other hand, symmetric encryption incurs only constant size increase.

RSA encryption and decryption are fast, but not very fast. Doing a lot of RSA could prove problematic in high-bandwidth contexts (it would be fine for emails, with today's machines, not for a VPN).

The fourth reason is the most often quoted, but actually the least compelling of the four.

Oooh, I especially like the second point. Has anyone ever heard of PGP being used for multi-party mailing lists?
–
wwaawawSep 14 '12 at 0:10

I'd just like to double check -- a different K must be used for each message, correct? Thinking it through on my own, I'm almost so sure of this that I don't even want to waste your time with the question, but I would just like to make sure I understand what's going on correctly.
–
wwaawawSep 14 '12 at 0:23

By comparison, DES (see Section 3.2) and other block ciphers are much faster than the RSA algorithm. DES is generally at least 100 times as fast in software and between 1,000 and 10,000 times as fast in hardware, depending on the implementation. Implementations of the RSA algorithm will probably narrow the gap a bit in coming years, due to high demand, but block ciphers will get faster as well.

So, encrypting a small symmetric key and then encrypting the data with that is much faster.

Its simply because RSA is A) Very slow B) Can only encrypt X amount of bits depending on the size of the key. The method here is generating an AES key which is much faster and can encrypt (AFAIK) unlimited amount of bits. Because AES is symmetrical there is no way a party can give it to another party without encryption. This is why asymmetrical encryption (RSA) is used and why PGP requires people to have your public key to send you a messages.